Friday, January 24, 2014

Security Management Weekly - January 24, 2014

header

  Learn more! ->   sm professional  

January 24, 2014
 
 
Corporate Security
Sponsored By:
  1. "ASIS Releases Revised CSO Standard"
  2. "Pirates Suspected of Hijacking Oil Tanker"
  3. "Google Glass Deemed 'Not Appropriate' by Cinema Chain Following Homeland Security Incident"
  4. "Security Firm Traces Target Malware to Russia"
  5. "Breach at Neiman Marcus Went Undetected From July to December"

Homeland Security
  1. "The Hidden History of the CIA’s Prison in Poland"
  2. "Watchdog Report Says N.S.A. Program is Illegal and Should End"
  3. "Israel Says it Foiled al Qaeda Plot"
  4. "Sochi Threat E-mail Sent to Several Nations; IOC Calls it Not Credible" International Olympic Committee
  5. "Lawmakers Skeptical About Obama Surveillance Idea"

Cyber Security
  1. "IBM, Lenovo Deal Likely to Spark Security Review"
  2. "Homeland Security Breach Exposes 114 Companies' Data"
  3. "VA Software Glitch Exposed Veterans' Personal Information" Department of Veterans Affairs
  4. "Card-Theft Software Grew in Internet's Dark Alleys"
  5. "Java's Security Dilemma: Old, Vulnerable Versions Won't Go Away"

   

 
 
 

 


ASIS Releases Revised CSO Standard
Security InfoWatch (01/22/14)

ASIS has released a revised ANSI/ASIS standard governing the role of chief security officers (CSOs) within organizations to replace the 2008 ANSI/ASIS Chief Security Officer Organizational ANSI standard. The new standard will create a model that can be used by organizations developing a senior leadership function that will be responsible for providing strategies used to protect organizations from security threats. Jerry Brennan, the technical committee chairman and CEO of Security Management Resources, says the new standard will help organizations determine their needs for the senior security executive position as well as the competencies that are best suited for that position.


Pirates Suspected of Hijacking Oil Tanker
Wall Street Journal (01/22/14) Werber, Cassie

A Liberian-flagged oil tanker owned by Dynacom Tankers, the MT Kerala, has vanished off the coast of West Africa and may have been hijacked by pirates. The shipping intelligence firm Dryad Maritime Intelligence said that if the hijacking is confirmed it would be the most southerly hijacking in the region conducted for the purposes of refined cargo theft. Dynacom said it has had no contact with the MT Kerala since the afternoon of Jan. 17. Dryad noted that, in the days preceding the disappearance of the MT Kerala, it had warned that there was a "suspect vessel operating off the Angolan coast." Though piracy is on the decline in some areas, the number of attacks occurring off the coast of West Africa has increased, with Nigerian pirates and armed robbers accounting for 31 of the 51 attacks in the region last year. In addition, Nigerian pirates are reportedly increasing the area in which they will attack, spreading into the waters off of Togo, the Ivory Coast, and Gabon, and now, if the disappearance of the MT Kerala is confirmed as a hijacking, into the waters of Angola.


Google Glass Deemed 'Not Appropriate' by Cinema Chain Following Homeland Security Incident
Guardian (United Kingdom) (01/22/14) Beaumont-Thomas, Ben

Following an incident involving a movie-goer wearing a Google Glass and homeland security officials from the ICE unit, the U.S. cinema chain AMC has declared that Glass is "not appropriate" for use in cinemas. The movie-goer in question wrote anonymously on The Gadgeteer blog, detailing the incident that occurred during a screening of a movie he attended. The man wrote that around halfway through, police and officers from the ICE unit pulled him out of the theatre and took him to a room and began interrogating him. He said that despite telling them that the Glass was switched off during the movie and that he was only wearing the device because of its prescription lenses, an ICE officer brought in a laptop and a USB cable, gave him one more "chance to come clean," and then connected the Glass to the computer and began going through all of the man's personal photos and then his cellphone. He wrote that he was not apologized to, saying that instead he was offered four free movie passes. The incident was confirmed by ICE's Khaalid Walls. AMC released a statement defending the actions of the theatre managers who contacted the Motion Picture Association of America, which is responsible for safeguarding intellectual property, as part of their approach to prevent movie theft.


Security Firm Traces Target Malware to Russia
CNN (01/21/14) Gumuchian, Marie-Louise; Goldman, David

The security firm IntelCrawler, which last week identified a 17-year-old Russian as being responsible for writing the malware used in the Target breach, updated its report on Monday saying that the individual did not appear to be solely responsible for the attack. In the update, the firm identified a different Russian resident as being the writer of the malware which infected Target's payment system and compromised the credit card numbers and other personal information of as many as 110 million customers. Security researcher Brian Krebs previously said that there is code in the Target malware that points to a Ukraine resident, suggesting that the author may have shared the malware with others. According to the IntelCrawler report, the first sample of the malware was created in March, with more than 40 versions sold worldwide since then. To date the majority of the victims of the malware, which first attacked retailers in Australia, Canada, and the United States, have been department stores, though more infections and new breaches could occur soon, warned IntelCrawler CEO Andrew Komarov.


Breach at Neiman Marcus Went Undetected From July to December
New York Times (01/17/14) Popper, Nathaniel; Perlroth, Nicole

Sources report that the data breach at Neiman Marcus went back as far as mid-July, was not discovered until mid-December, and was not fully contained until Jan. 12. In its latest notice, Neiman warned of fraudulent use of certain customers' payment cards, and said that it will issue alerts to those customers for which it has contact information. The retailer has not publicly disclosed any estimates on how many credit card numbers were compromised, or the number of affected customers, but it did note that it does not collect PINs in its stores. Although Neiman only publicly acknowledged the hack on Jan. 10 following inquiries from computer security journalist Brian Krebs, it had informed credit card firms around Christmas that it had proof that credit cards used at its stores were being employed for fraudulent transactions. Some critics take issue with the company's decision not to publicize anything until the shopping season was concluded, but a Neiman spokeswoman insists that the holiday season was unrelated to that decision. Neiman has promised to give customers a year of free credit monitoring, while a group of state attorneys general are jointly probing both the Target and Neiman Marcus breaches.




The Hidden History of the CIA’s Prison in Poland
Washington Post (01/24/14) Goldman, Adam

The Washington Post has published a report, based in part on interviews with former CIA officials speaking on condition of anonymity, on the interrogations that reportedly took place at a now-closed CIA black site in Poland. The officials noted that the site was chosen in late 2002 after prisons in other locations that were used to house high-profile terrorist suspects proved to be unsuitable for the CIA's needs. The CIA reportedly paid the Polish intelligence service Agenci Wywiadu $15 million for the use of the facility, and eventually set up an interrogation program that involved the use of waterboarding, sleep deprivation, and slapping to obtain information from terrorist suspects. Abd al-Rahim al-Nashiri, a suspect in the 2000 USS Cole bombing, was reportedly subjected to a mock execution, while Sept. 11 mastermind Khalid Sheikh Mohammed was waterboarded 183 times. Former CIA officials directly involved with the interrogation program at the prison, which was shut down in September 2003, say the techniques produced "dramatic positive results." For example, Abu Zubaida, another terrorist suspect detained at the prison, was able to identify people in photos and provide other information. These disclosures about the prison come as the Senate Select Committee on Intelligence prepares to release a report about the value of the CIA's interrogation program in obtaining intelligence from terrorist suspects.


Watchdog Report Says N.S.A. Program is Illegal and Should End
New York Times (01/23/14) Savage, Charlie

A report issued by a majority of the five-member Privacy Civil Liberties Oversight Board on Thursday has concluded that the National Security Agency's telephone metadata collection program should be brought to an end. Three of the board's members said that Section 215 of the Patriot Act, which allows the FBI to obtain business records that are relevant to an investigation, is not a "viable legal foundation" for the NSA telephone metadata collection program despite claims by government officials to the contrary. The majority of the board's members also concluded that the NSA program raises "constitutional concerns under the First and Fourth Amendments," violates the Electronic Communications Privacy Act, and has not been helpful in discovering or disrupting terrorist plots. The two dissenting members of the board, however, said that any legal analysis of the program is better left to the nation's court system. One of those board members added in a dissenting report that the government's theory about the legality of the metadata collection program was "reasonable" and "made in good faith." Although the board was divided over the question of the legality of the telephone metadata program, it was unanimous in calling for changes, including deleting raw phone records after three years instead of five.


Israel Says it Foiled al Qaeda Plot
Wall Street Journal (01/22/14) Mitnick, Joshua

Israel's Shin Bet security service claims to have foiled a suicide bombing plot by arresting three Palestinians who it claims were part of an al-Qaida-inspired group in Gaza. According to Israeli officials, the group was planning to conduct suicide bombing attacks on the U.S. Embassy in Tel Aviv and on other locations in Israel and the West Bank. One of the arrested men, Iyad Khalil Mahmoud Abu Sara, allegedly agreed to carry out bombings on the U.S. Embassy and the main convention center in Jerusalem by equipping suicide bombers with weapons and taking them to their targets. According to Shin Bet, Abu Sara had agreed to travel to Syria to learn to build weapons. Abu Sara also reportedly received computer files containing bomb-making instructions from someone in Gaza. Former Israeli military-intelligence official Aviv Oreg said that while the plans for the attacks were far from being complete, they highlight the fact "that Israel has become much more vulnerable to militant attack [since] the Arab Spring."


Sochi Threat E-mail Sent to Several Nations; IOC Calls it Not Credible
CNN (01/22/14) Smith-Spark, Laura; Brocchetto, Marilia

Officials with the International Olympic Committee (IOC) have said that an e-mailed threat to the upcoming Winter Games appears to be little more than a "random message from a member of the public" and does not contain an actual threat. The e-mail, which warned of a terrorist threat to both athletes and visitors, was received by the Olympic organizing committees of several European countries, including Germany, Hungary, Italy, and Slovakia, as well as the U.S. Russian Prime Minister Dmitry Medvedev says that authorities are aware of the threat and have planned accordingly. Meanwhile, House Homeland Security Committee Chairman Rep. Michael McCaul said that while there are no guarantees when it comes to safety, the security operation in Sochi "is the most impressive and well-fortified" in Olympic history. He added that there has been good cooperation between U.S. and Russian security teams. McCaul also said that it was likely that insurgents would carry out bombings on soft targets outside of Sochi, rather than throwing their efforts at the heavily fortified resort city.


Lawmakers Skeptical About Obama Surveillance Idea
Associated Press (01/21/14) Quaid, Libby

Leaders of the congressional intelligence committees are pushing back against a key part of President Barack Obama's attempt to overhaul U.S. surveillance, saying it is unworkable for the government to let someone else control how Americans' phone records are stored. Obama said on Jan. 17 that he wants bulk phone data stored outside the government to reduce the risk that the records will be abused. Rep. Mike Rogers (R-Mich.), chairman of the House Intelligence Committee, says that Obama had intensified a sense of uncertainty about the country's ability to root out terrorist threats. Obama didn't say who should have control of Americans' data; he directed the attorney general and director of national intelligence to find a solution within 60 days. "We really did need a decision on Friday, and what we got was lots of uncertainty," Rogers said. "And just in my conversations over the weekend with intelligence officials, this new level of uncertainty is already having a bit of an impact on our ability to protect Americans by finding terrorists who are trying to reach into the United States." The president also said he will require a special judge's advance approval before intelligence agencies can examine someone's data and will force analysts to keep their searches closer to suspected terrorists or organizations. "And I think that's a very difficult thing," said Sen. Dianne Feinstein (D-Calif.), who chairs the Senate Intelligence Committee. "Because the whole purpose of this program is to provide instantaneous information to be able to disrupt any plot that may be taking place." Feinstein said many Americans don't understand that threats persist a dozen years after the 9/11 terrorist attacks.




IBM, Lenovo Deal Likely to Spark Security Review
Wall Street Journal (01/23/14) Ante, Spencer E.; Mauldin, William

IBM has agreed to sell its low-end server business to the Chinese computer maker Lenovo, but will have a challenge in convincing U.S. security agencies to also agree to the deal. Sensitive mergers with foreign companies are required to gain approval from the Committee on Foreign Investment in the U.S. (CFIUS). One of the issues that the government is likely to examine is the role IBM's servers play in federal data centers, as well as the location of facilities owned by IBM's server business in relation to certain government facilities. In addition, the U.S. government will have to consider "not only the purchase of the company's operations but the implications of Lenovo taking over service agreements for existing clients," said Michael Wessel, a member of the U.S.-China Economic and Security Review Commission. A CFIUS attorney noted that one difficulty involved in the decision to approve the deal is that it may not be possible to separate sensitive U.S. government facilities and government technology that use IBM x86 servers from other clients, whose service Lenovo is poised to take over. A former CFIUS official noted that if the government does approve the deal, it could adopt mitigation measures to safeguard U.S. national security.


Homeland Security Breach Exposes 114 Companies' Data
eSecurity Planet (01/23/14) Goldman, Jeff

A Web portal run by REI Systems for the Department of Homeland Security (DHS) experienced a breach that exposed some financial information and private documents for at least 114 companies that bid on a DHS contract in 2013. The department says that that the breach took place "sometime over the prior four months." Brian Krebs of Krebs on Security reports that the department has yet to determine the source or cause of the breach. Krebs was told by a DHS spokesman that 520 documents, including proposals, decision notification letters, documents regarding contract and award deliverables, and others were exposed during the breach. Only 16 of the companies had their bank account information exposed, and all 114 have been provided with a list of the documents that were accessed during the breach.


VA Software Glitch Exposed Veterans' Personal Information
Washington Post (01/22/14) Hicks, Josh

Veterans Affairs officials report there was a software glitch on a joint VA and Defense Department benefits portal that exposed the private information of veterans to anyone who could log into the portal. The portal was shut down after the glitch was identified and brought back online four days later following "a full review of the software issue." The agency said it "reinforced its security posture after determining that the defect had been remedied and the portal was functioning properly." Known as the eBenefits system, the portal enables veterans and their dependents to gain access to sensitive data, including bank information, disability claims, military personnel records, and medical and educational benefits. The initial estimates suggest that more than 5,300 users may have been affected by the glitch, and the agency will provide free credit monitoring to anyone impacted. Since last year, the IT security principles of the VA have been under investigation by the House Veterans Affairs Committee.


Card-Theft Software Grew in Internet's Dark Alleys
Wall Street Journal (01/22/14) Levinson, Charles; Yadron, Danny

Cybersecurity experts have traced the software used to steal debit and credit card data from 40 million Target customers during the holiday shopping season. The software was first noticed by Symantec Corp. in Jan. 2013, where it was being sold for $2,000. It subsequently continued to develop over the course of the year before being used to infect Target's network. Symantec called the software Reedum, while other companies refer to it as Kaptoxa, Russian slang for potato. The malware was reportedly a Trojan virus that tracked payment programs and credit card data until it was unencrypted and stored after authorization. The data was then moved during business hours to another compromised server, allowing the movement to blend in with normal holiday traffic on the server. The evolution of this software shows a growing group of hackers who continually improve malware to sell it in online marketplaces to buyers who often have ties to organized crime. As Dmitri Alperovitch, chief technology officer for Crowdstrike Inc., explains purchasing expensive malware is worth the cost when it is used to steal data from massive databases with customer card information.


Java's Security Dilemma: Old, Vulnerable Versions Won't Go Away
InfoWorld (01/21/14) Krill, Paul

Cybersecurity experts say that organizations are putting themselves at risk of cyberattacks by continuing to use older, non-supported versions of Java that contain vulnerabilities that may never be publicly patched. Many organizations that still use older versions of Java, such as Java 6, are doing so because of application dependencies. Cisco says organizations often use both Java 6 and Java 7 because different apps sometimes use different versions of the Java Runtime Environment to run code. Cisco researcher Levi Gundert says that although some organizations running apps that rely on older versions of Java may have concluded they cannot upgrade them, they should take another look at their upgrade processes to see if an upgrade is feasible now. Meanwhile, Forrester Research analyst Jeffrey Hammond says organizations should consider one of three options: upgrading to Java 7 and budgeting for appropriate app testing and rollouts, obtaining support for Java 6, or moving from Java to open source platforms.


Abstracts Copyright © 2014 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments:

Post a Comment